This course introduces real-time cyber security techniques and methods in the context of the TCP/IP protocol suites. Explanation of some basic TCP/IP security hacks is used to introduce the need for network security solutions such as stateless and stateful firewalls. Learners will be introduced to the techniques used to design and configure firewall solutions such as packet filters and proxies to protect enterprise assets.
Perimeter solutions such as firewalls and intrusion prevention systems are shown to have significant drawbacks in common enterprise environments. The result of such weakness is shown to often exist as advanced persistent threats (APTs) from nation-state actors. Such attacks, as well as DDOS and third-party attacks, are shown to have potential solutions for modern enterprise.

教學方

Dr. Edward G. Amoroso

腳本

Hi, everyone. Ed Ameroso here. I want to take this time on this video to introduce you to something called packet filtering which is absolutely fundamental to real time cybersecurity. Turns out that for many years companies and homes and businesses, everybody would connect to the Internet through a device called the router. You'd have one given to you by your ISP or you'd go buy one, whatever made sense. And the router really was designed to move packets. I mean routers are devices that were invented to move packets, to move TCP/IP packets from one place to another. They come designed with rules and what happens is packets hit on an inbounded interface to a router. And the router generally has rules that are put in place around what to do with the packet, meaning where you route it. So you can think of it as the workhorse that makes the internet run, and there's companies, Cisco Systems, Juniper Systems, some others became very popular and became very powerful and successful. In the late 80s and into the 90s and 2000s, to the present time, building wonderfully powerful and feature rich routing equipment. But it turned out that everybody kind of noticed that if you had a device, a router that's sitting there doing what I just said, you went, if I'm going to make a security decision, why not do it there? I mean it's there, right? If it's already doing rules, couldn't I add some rules there that just say hey you know is this allowed or not allowed? Now there's design decisions that come with that. I mean one is if the main purpose for that router is to be fast like if they're an Internet service provider and it's a core router that's moving lots of stuff, maybe you're not going to be okay with that. You might say hey, listen, anything that slows this thing up, forget it. You know, you're not going to put any stupid additional rules in this. This thing has to move, this has to smoke. This has to be pushing packets fast. But there might be others, where it's not as big a deal. For example, the router that's sitting on your desk, connecting to your ISP. Is it really important that you preserve every microsecond of processing on that thing? Probably not. Even if you're a gamer, it's probably not going to be a big deal. So kind of in the 90s we we started realizing, it was a little early, but commercially started realizing that you could write some very simple code to a router called a packet filter. I'll pop up a picture here, it shows Alice and Bob with little firewall. This is a typically to show firewall we show the large vertical tower there with the supposed bricks that are in the icon. And you can see a SYN Packet going from Alice to Bob. And the code that would be on that firewall router, that big tower, would be a big if then else. And you can see the code, if the packet header has the output set to 0, then that's the beginning of a session. Then look at see what's going on. What's the source IP? What's the destination port? What's source port? And then decide whether we allow our block and that would be just you'd decide as the rest of coder. If it's port 80 and you don't want people hitting your web server then you drop it. If it's port 80 and you're okay with people hitting your web server you allow it. You get the point? That would be the rule. And then you say, if the packet, the ACK bit is 1, let it through. Or you can drop it, or something else. You're the designer, you figure out what kind of rules make sense. But generally, in a packet filter, the only options you're going to have are to allow or block. You can let the packet go through, or you can kick the packet off into the garbage, A or B. And you have to have some sort of condition that drives that. So these are logical conditions that are examined in sequence. And it's just sort of an artifact of the way these things were originally developed that you'll develop a first rule, a second rule, a third rule. All the way down to an nth rule, which we call the default rule, meaning you gotta put something that matches something. You can't have a device that just never matches and you write these rules and nothing matches. So every router will have a default that will always match and either allow or block. We'll get to that. But that's packet filtering and you can see that designing what you'd like to be this rules can be a little tricky. Making sure that you do not impose some kind of performance penalty on the router can be tricky. Kind of connecting your intent of what you want the policy to be with the real implementation can be tricky. Do you follow? Having multiple routers, maybe from vendors and imposing the same implementations, same policy be tricky. And I remember the Cisco Systems telling all of us back in the 90s that if you wanted to learn to configure routers and to do packet filtering and so on. They said you should take our beginners course which I did, it was a one week course. And they said then go back to work for two, three months full time with a router. Then take our intermediate course, then go back to work for about six months with a router. And now, you can call yourself a beginner. [LAUGH] Everything in my, it sounds like a lot of work to get to a beginner where you get the idea. This is not simple snap stuff. And I do understand that some of you may write some rules for your home router. For a business it might be a slightly more complicated, but the bottom line is that this idea of putting the rules into the router is good idea. So let's do a little quiz to test our understanding. Now the answer is D, and some of you may be saying, that's not fair! You didn't tell us about forwarding. But this is my way of introducing the concept to you. It turns out that there really are three options here. I can allow it, I can block it or I can send it somewhere and say I'm not sure. That's makes this interesting. If a router can only pass or block, we've got problems. But if I can program the router to say I need more information, then all of real-time cybersecurity is enabled. This is how we have cybersecurity, intrusion detection and prevention, surveillance, and daily leakage prevention, all of these different types of capabilities are enabled by the fact that sometimes we're not entirely sure we can forward packets in sessions to intermediaries that you'll see pretty soon we're going to call proxies. But for now we're going to stick with packet filtering and our next video I'll teach you a little bit more about how you do it. I'll see you on the next one.